Tennessee Breach-Notification Law Indicative of Data-Security Regulators’ Lack of Creativity

Guest Commentary

There is no shortage of data-privacy and security laws in the United States. By our count there are now about 300 state and federal statutes. They include breach-notification laws, data-disposal laws, data-safeguard laws, payment card information-protection laws … the list goes on and on. Many of these laws, and practical strategies for managing compliance with them, are discussed in a Washington Legal Foundation Contemporary Legal Notes paper I authored, Data Privacy and Security Practical Guide for In-House Counsel.

Nonetheless the push continues to be a push for more regulation to make sure that the consumer data held by companies is secure.

Quantity does not, in this case, equal quality. In fact, it means the opposite. The quantity of data-security legislation imposes a significant cost on businesses to stay abreast of the changing legal landscape and to comply with (or to be confused by) what can best be characterized as technical or procedural differences between the data-security laws. For example, following a data breach the 54 different breach-notification statutes may require a business to notify 25 different federal and state agencies. Notifying 25 different agencies does little, or nothing, to strengthen private-sector data security, protect consumers, or prevent identity theft; it does impose a compliance burden and create 25 opportunities for a good corporate citizen to unintentionally violate a statute.

Perhaps most disappointing, despite the quantity of regulation, legislators and regulators have displayed relatively little creative thinking and most changes serve to confuse the business community rather than to help direct them toward best practices.

For example, the Tennessee legislature recently amended its data-breach notification statute so that beginning on July 1, 2016, a “breach of security,” which used to be defined as “unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality or integrity of personal information,” will no longer have the qualifier that the data must be “unencrypted.”

News articles and the legal press have characterized the change as making the Tennessee statute “among the nation’s toughest,” and as requiring breach notification “regardless of whether or not the information … was encrypted.”

In actuality, the change will have very little, if any, impact on businesses besides generating some counterproductive confusion. Although the statute will no longer technically contain an automatic “encryption safe harbor,” the statute will still require consumer notification only if an incident “materially compromises the security” of personal information. If data is encrypted, the encryption is strong, and the encryption key is not compromised in most, if not all, situations, the personal information will not be “materially compromised” and notification will not be needed. This is functionally the same result that would be reached under a dozen other state statutes that include an “encryption safe harbor,” but require, in order for the safe harbor to apply, that the encryption key not be compromised, and that the encryption be sufficient to make the data unusable to the unauthorized party (i.e., a different way of stating that there has been no “material” compromise). Despite the headlines, the real moniker of this change should be “much ado about nothing.”

If regulators want to improve data security, they should move away from tweaks to the existing framework, or enactment of substantively duplicative legislation, and should instead meet with the business community to design new and creative means for improving data security, decreasing regulation, and lowering business risk.

A good example of such an effort came from New York Attorney General Eric Schneiderman who proposed last year what would have been a new framework for state data-security regulation. Instead of trying to impose additional penalties on businesses following a data breach (which arguably do not need more motivation to avoid breaches) or remove safe harbors, he proposed a framework by which companies that voluntarily adopted the highest standards for data protection—such as independent auditing of security frameworks—could qualify for a new safe harbor from suit in the event of a data breach. If that legislation had passed it would have provided a carrot, not a stick, to businesses as well as specific tangible direction toward maturing security programs.